Am 31.03.2012 17:37, schrieb Les Mikesell:
> On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel <lists@xxxxxxxxxxxx> wrote:
>>
>> So, before you do anything else, set up proper incoming and outgoing IPv6 port filtering rules on your perimeter routers. It will save you a hell of a headache.
>
> If the addresses are auto-discovered, how are you supposed to be able
> to configure filtering rules for what you want to let through?
Same as today: machines which need individual filtering rules need
static addresses. That includes all machines which are to accept
connections traversing the firewall, but also machines which are
permitted to access services that are not generally allowed.
One difference though: machines will typically have more than one
IPv6 address, so you may have to somehow make sure that you don't
use a different address than the one which is mentioned in the
filtering rule. That's no problem for incoming connections. You
just have to allow the same addresses in the firewall as you
published in DNS. But for outgoing connections (for example, from
mail servers) you may have to explicitly specify the source address.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
